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Abstract. Probabilistic and stochastic behavior are omnipresent in computer con¬ 
trolled systems, in particular, so-called safety-critical hybrid systems, because of 
fundamental properties of nature, uncertain environments, or simplifications to 
overcome complexity. Tightly intertwining discrete, continuous and stochastic 
dynamics complicates modelling, analysis and verification of stochastic hybrid 
systems (SHSs). In the literature, this issue has been extensively investigated, but 
unfortunately it still remains challenging as no promising general solutions are 
available yet. In this paper, we give our effort by proposing a general composi¬ 
tional approach for modelling and verification of SHSs. First, we extend Hybrid 
CSP (HCSP), a very expressive and process algebra-like formal modeling lan¬ 
guage for hybrid systems, by introducing probability and stochasticity to model 
SHSs, which is called stochastic HCSP (SHCSP). To this end, ordinary differen¬ 
tial equations (ODEs) are generalized by stochastic differential equations (SDEs) 
and non-deterministic choice is replaced by probabilistic choice. Then, we extend 
Hybrid Hoare Logic (HHL) to specify and reason about SHCSP processes. We 
demonstrate our approach by an example from real-world. 


1 Introduction 

Probabilistic and stochastic behavior are omnipresent in computer controlled systems, 
such as safety-critical hybrid systems, because of uncertain environments, or simpli¬ 
fications to overcome complexity. For example, the movement of aircrafts could be 
influenced by wind; in networked control systems, message loss and other random ef¬ 
fects (e.g., node placement, node failure, battery drain, measurement imprecision) may 
happen. 

Stochastic hybrid systems (SHSs) are systems in which discrete, continuous and 
stochastic dynamics tightly intertwine. As many of SHSs are safety-critical, a thor¬ 
ough validation and verification activity is necessary to enhance the quality of SHSs 
and, in particular, to fulfill the quality criteria mandated by the relevant standards. But 
modeling, analysis and verification of SHSs is difficult and challenging. An obvious 
research line is to extend hybrid automata m, which is the most popular model for 
traditional hybrid systems, by adding probability and stochasticity. Then, verification of 
SHSs can be done naturally through reachability analysis, either by probabilistic model¬ 
checking 01I2I3I19I8I2OI6L or by simulation i.e., statistical model-checking Ml 51221 . 
Along this line, several different notions of stochastic hybrid automata have been pro¬ 
posed M1I2I3I19I8I20I6I . with the difference on where to introduce randomness. One 
option is to replace deterministic jumps by probability distribution over deterministic 
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jumps. Another option is to generalize differential equations inside a mode by stochas¬ 
tic differential equations. Stochastic hybrid systems comprising stochastic differential 
equations have been investigated in II13I5I1I . More general models can be obtained by 
mixing the above two choices, and by combining them with memoryless timed proba¬ 
bilistic jumps a , with a random reset function for each discrete jump 0 . An overview 
of this line can be found in 0. 

To model complex systems, some compositional modelling formalisms have been 
proposed, e.g., HMODEST f?) and stochastic hybrid programs iflTl . HCSP due to He, 
Zhou, et al 191211 is an extension of CSP |[T^ by introducing differential equations to 
model continuous evolution and three types of interruptions (i.e., communication in¬ 
terruption, timeout and boundary condition) to model interactions between continuous 
evolutions and discrete jumps in HSs. The extension of CSP to probabilistic setting 
has been investigated by Morgan et al. M- In this paper, we propose a compositional 
approach for modelling and verification of stochastic hybrid systems. First, we extend 
Hybrid CSP (HCSP), a very expressive and process algebra-like modeling language 
for hybrid systems by introducing probability and stochasticity, called stochastic HCSP 
(SHCSP), to model SHSs. In SHCSP, ordinary differential equations (ODEs) are gen¬ 
eralized to stochastic differential equations (SDEs), and non-deterministic choice is re¬ 
placed by probabilistic choice. Different from Platzer’s work im, SHCSP provides 
more expressive constructs for describing hybrid systems, including communication, 
parallelism, interruption, and so on. 

Probabilistic model-checking of SHSs does not scale, in particular, taking SDEs 
into account. For example, it is not clear how to approximate the reachable sets of a 
simple linear SDEs with more than two variables. Therefore, existing verification tech¬ 
niques based on reachability analysis for SHSs are inadequate, and new approaches are 
expected. As an alternative, in ini, Platzer for the first time investigated how to extend 
deductive verification to SHSs. Inspired by Platzer’s work, for specifying and reasoning 
about SHCSP process, we extend Hybrid Hoare Logic m, which is an extension of 
Hoare logic im to HSs, to SHSs. Comparing with Platzer’s work, more computation 
features of SHSs, and more expressive constructs such as concurrency, communication 
and interruption, can be well handled in our setting. We demonstrate our approach by 
modeling and verification of the example of aircraft planning problem from the real- 
world. 


2 Background and Notations 

Assume that is a cr-algebra on set 17 and P is a probability measure on (17, P), then 
(17, P, P) is called a probability space. We here assume that every subset of a null 
set (i.e., P{A) = 0) with probability 0 is measurable. A property which holds with 
probability 1 is said to hold almost surely (a.s.). A filtration is a sequence of cr-algebras 
{Pt]t>o with Fix C Ft 2 for all ti < ^ 2 - We always assume that a filtration {Pt}t>o 
has been completed to include all null sets and is right-continuous. 

Let B represent the Borel cr-algebra on K", i.e. the cr-algebra generated by all open 
subsets. A mapping X : fl ^ M" is called R"-valued random variable if for each B G 
S, we have X~^{B) G P, i.e. X is F-measurable. A stochastic process P is a function 
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X : T X 17 —>• R” such that for each t G T, X{t, ■) : f? —)■ R" is a random variable, and 
for each ui G f2, X{-,uj) : T ^ R" corresponds to a sample path. A stochastic process 
X is adapted to a filtration {-Ft}t>o if Xt is J't-measurable. Intuitively, a filtration 
represents all available historical information of a stochastic process, but nothing related 
to its future. A cadlag function defined on R is right continuous and has left limit. 
A stochastic process X is cadlag iff all of its paths t —?> Xt{uj) (for each w S 17) 
are cadlag. A d-dimensional Brownian motion W is a stochastic process with Wq = 
0 that is continuous almost surely everywhere and has independent increments with 
time, i.e. Wt — Wg N{0,t — s) (for 0 < s < t), where N{0^t — s) denotes the 
normal distribution with mean 0 and variance t — s. Brownian motion is mathematically 
extremely complex. Its path is almost surely continuous everywhere but differentiable 
nowhere. Intuitively, W can be understood as the limit of a random walk. A Markov 
time with respect to a stochastic process X is a random variable r such that for any 
t > 0, the event {r < t} is determined by (at most) the information up to time t, i.e. 
{r < f} e Tf. 

We use stochastic differential equation (SDE) to model stochastic continuous evo¬ 
lution, which is of the form dXt = b{Xt)dt + a{Xt)dWt, where Wt is a Brownian 
motion. In which, the drift coefficient b{Xt) determines how the deterministic part of 
Xt changes with respect to time and the diffusion coefficient <j{Xt) determines the 
stochastic influence to Xt with respect to the Brownian motion Wt. Obviously, any 
solution to an SDE is a stochastic process. 


3 Stochastic HCSP 

A system in Stochastic HCSP (SHCSP) consists of a finite set of sequential processes 
in parallel which communicate via channels synchronously. Each sequential process 
is represented as a collection of stochastic processes, each of which arises from the 
interaction of discrete computation and stochastic continuous dynamics modeled by 
stochastic differential equations. 

Let Proc represent the set of SHCSP processes, E the set of channel names. The 
syntax of SHCSP is given as follows: 

P ::= skip \x -.= e\ chlx \ chle \ P]Q \ B ^ P \ P* 

I P Up Q I {ds = bdt + adWkB) 

I {ds = bdt + adWkB) > • chi* Qi) 

S' ::=P I S||S 

Here ch,chi G E, chi* stands for a communication event, e.g. chlx or ch\e, x is a 
variable, B and e are Boolean and arithmetic expressions, P,Q,Qi G Proc are sequential 
processes, p G [0,1] stands for the probability of the choice between P and Q, s for a 
vector of continuous variables, b and a for functions of s, W for the Brownian motion 
process. At the end, S stands for a system, i.e., a SHCSP process. 

As defined in the syntax of P, the processes in the first line are original from HCSP, 
while the last two lines are new for SHCSP. The individual constructs can be understood 
intuitively as follows: 
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- skip, the assignment x := e, the sequential composition P; Q, and the alternative 
statement B P are defined as usual. 

- ch?x receives a value along channel ch and assigns it to x. 

- chle sends the value of e along channel ch. A communication takes place when 
both the sending and the receiving parties are ready, and may cause one side to 
wait. 

- The repetition P* executes P for some finite number of times. 

- P Lip Q denotes probabilistic choice. It behaves as P with probability p and as Q 
with probability 1 — p. 

- {ds = bdt + adWkB) specifies that the system evolves according to the stochastic 
process defined by the stochastic differential equation ds = bdt + adW. As long as 
the boolean expression B, which defines the domain of s, turns false, it terminates. 
We will later use d{s) to return the dimension of s. 

- l^ds = bdt+(jdWk.B)>'i\i^i{wi-chi* Qi) behaves like {ds = bdt+adW&iB), 

except that the stochastic evolution is preempted as soon as one of the communica¬ 
tions chi* takes place, after that the respective Qi is executed. I is supposed to be 
finite and for each i € I, uji G Q"*" represents the weight of chi*. If one or more 
communications are ready at the same time, say they are {chj*}j^j with J f I 
and I J| > 1, then chj is chosen with the probability ^ , for each j G J. If the 

stochastic dynamics terminates before a communication among {chi*}i occurring, 
then the process terminates without communicating. 

- S'! 1152 behaves as if 5i and S 2 run independently except that all communications 
along the common channels connecting Si and S 2 are to be synchronized. The 
processes Si and S 2 in parallel can neither share variables, nor input nor output 
channels. 

3.1 A Running Example 

We use SHCSP to model the aircraft position during the flight, which is inspired from ifTSll 
Consider an aircraft that is following a flight path consisting of a sequence of line seg¬ 
ments at a fixed altitude. Ideally, the aircraft should fly at a constant velocity v along 
the nominal path, but due to the wind or cloud disturbance, the deviation of the aircraft 
from the path may occur. For safety, the aircraft should follow a correction heading to 
get back to the nominal path as quickly as possible. On one hand, the correction head¬ 
ing should be orthogonal to the nominal path for the shortest way back, but on the other 
hand, it should also go ahead to meet the destination. Considering these two objectives, 
we assume the correction heading always an acute angle with the nominal path. 

Here we model the behavior of the aircraft along one line segment. Without loss 
of generality, we assume the segment is along a;-axis, with (xg, 0) as the starting point 
and (a;e,0) as the ending point. When the aircraft deviates from the segment with a 
vertical distance greater than A, we consider it enters a dangerous state. Let (xg, yf) be 
the initial position of the aircraft in this segment, then the future position of the aircraft 
{x{t),y{t)) is governed by the following SDE: 
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where 9{t) is the correction heading and is defined with a constant degree j when the 
aircraft deviates from the nominal path; 



if y{t) > 0 
if y{t) = 0 
if y{t) < 0 


Define B he Xg < x < Xe, the movement of the aircraft described above can be 
modelled by the following SHCSP process PAir- 

X = Xs',y = yo; {[dx, dy]^ = v[cos{9{t)), sin{9(t))]^dt + dW{t)SzB) 

4 Operational Semantics 

Before giving operational semantics, we introduce some notations first. 

System Variables In order to interpret SHCSP processes, we use non-negative reals R+ 
to model time, and introduce a global clock now as a system variable to record the time 
in the execution of a process. A timed communication is of the form {ch.c,b), where 
c/i G 17, c G R and b G R+, representing that a communication along channel ch occurs 
at time b with value c transmitted. The set 17 x R x R+ of all timed communications is 
denoted by TE. The set of all timed traces is 

T17< = {7 G TS* I if (cfii.ci, 61 ) precedes (c/i 2 -C 2 , ^ 2 ) in 7 , then bi < 62 }- 

If C C 17, 7 Ic is the projection of 7 onto C such that only the timed communications 
along channels of C in 7 are preserved. Given two timed traces 71 , 72 , and A C 17, the 
alphabetized parallel of 71 and 72 over X, denoted by 71 || 72 , results in the following 


{7 I 7 l'i;-(i:(7i)ui:(72))= C7l'i:(7i)= 7H7ri:(72)= 72 and 7 |'x= 7i l'x= 72 tx}, 

where ^7(7) stands for the set of channels that occur in 7. 

To model synchronization of communication events, we need to describe their readi¬ 
ness. Because a communication itself takes no time when both parties get ready, thus, at 
a time point, multiple communications may occur. In order to record the execution or¬ 
der of communications occurring at the same time point, we prefix each communication 
readiness a timed trace that happened before the ready communication event. Formally, 
each communication readiness has the form of y.chl or 7.C/1!, where 7 G Ti7<. We 
denote by RDY the set of communication readiness in the sequel. 

Finally, we introduce two system variables, rdy and tr, to represent the ready set 
of communication events and the timed trace accumulated at the considered time, re¬ 
spectively. In what follows, we use Var{P) to represent the set of process variables of 
P, plus the system variables {rdy, tr, now} introduced above, which take values respec¬ 
tively from M U RDY U U denoted by Val. 
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States and Functions To interpret a process P £ Proc, we define a state ds as a map¬ 
ping from Var{P) to Val, and denote by V the set of such states. Because of stochastic- 
ity, we introduce a random variable p : H —>■ V to describe a distribution of all possible 
states. In addition,we introduce a stochastic process H : Intv x 12 ^ V to represent the 
continuous how of process P over the time interval Intv, i.e., state distributions on the 
interval. In what follows, we will abuse state distribution as state if not stated otherwise. 

Given two states pi and p 2 , we say pi and p 2 are parallelable iff for each uj £ 
f2, Dom{pi{ui)) n Dom{p 2 {uj)) = {rdy, tr, now} and pi (cu)(now) = p 2 (uj)(now). Given two 
parallelable states pi and p 2 , paralleling them over X E results in a set of new states, 
denoted by pi W p2, any of which p is given by 


p{uj){v) 


def 


" pi(w)(u) if u £ Dom{pi{ijj)) \ Dom{p2(oj)), 

P 2 {uj){v) if u £ Dom{p2{uj)) \Dom{pi{uj)), 

pi{uj){now) if u = now, 

7, where 7 £ pi{uj){tr) || p 2 {uj){tr) if u = tr, 


X 


^pi{uj){rdy)tJ p2{uj){rdy) 


if u = rdy. 


It makes no sense to distinguish any two states in pi i±i p 2 , so hereafter we abuse pi ttJ p 2 
to represent any of its elements.pi i+i p 2 will be used to represent states of parallel pro¬ 
cesses. 

Given a random variable p, the update p[v e] represents a new random variable 
such that for any uj & fl and x £ Var, p\v e\{uj){x) is defined as the value of e if x 
is V, and p(w){x) otherwise. Given a stochastic process X : [0, d) x f? —> for 

any t in the domain, p[s —> Xt] is a new random variable such that for any to € f2 and 
X £ Var, p[s —)■ Xt]{uj){x) is defined as X{t, w) if x is s, and p{uj)(x) otherwise. 

At last, we define as the stochastic process over interval \p{now), p{now) + d] 
such that for any t £ [p{now), p{now) + d] and any uj, = p[now i-)- f](w), 

and moreover, as the stochastic process over interval [pinow), p{now) + d} such 

that for any t £ [p{now), pinow) + d] and any uj, uj) = p[now ^ t, rdy 

0, S I—^ Xt\{Lj). 


4.1 Operational Semantics 

Each transition relation has the form of {P, p) {P', p', H), where P and P' are pro¬ 

cesses, a is an event, p, p' are states, id is a stochastic process. It expresses that starting 
from initial state p, P evolves into P' by performing event a, and ends in state p' and 
the execution history of a is recorded by continuous how id. When the transition is 
discrete and thus produces a how on a point interval (i.e. current time now), we will 
write {P,p) {P',p') instead of {P,p) ^ [P', p', {p{now) p'}). The label a 

represents events, which can be an internal event like skip, assignment, or a termination 
of a continuous etc, uniformly denoted by r, or an external communication event ch\c 
or chic, or an internal communication ch.c, or a time delay d that is a positive real 
number. We call the events but the time delay discrete events, and will use /3 to range 
over them. We define the dual of chic (denoted by chic) as ch\c, and vice versa, and de¬ 
fine comm{ch\c, chic) or comm{chlc, ch\c) as the communication ch.c. In the operational 
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semantics, besides the timed communications, we will also record the internal events 
that have occurred till now in tr. 

For page limit, we present the semantics for the new constructs of SHCSP in the 
paper in Table [T] The semantics for the rest is same to HCSP, which can be found 
in Appendix. The semantics for probabilistic choice is given by rules (PCho-1) and 
(PCho-2): it is defined with respect to a random variable U which distributes uniformly 
in [0,1], such that for any sample w, if U(lj) < p, then P is taken, otherwise, Q is taken. 
In either case, it is assumed that an internal action happened. A stochastic dynamics can 
continuously evolve for d time units if B always holds during this period, see (Cont- 
1). In (Cont-1), the variable X solves the stochastic process and the ready set keeps 
unchanged, reflected by the flow . The stochastic dynamics terminates at a point 

whenever B turns out false at a neighborhood of the point (Cont-2). Communication 
interrupt evolves for d time units if none of the communications chi* is ready (IntP- 
1), or is interrupted to execute chi * whenever chi > 1 = occurs first (IntP-2), or terminates 
immediately in case the continuous terminates before any communication happening 
(IntP-3). 

The following theorem indicates that the semantics of SHCSP is well defined. 

Theorem 1. For each transition {P, p) {P', p', H), H is an almost surely cadlag 

process and adapted to the completed filtration {Pt)t>o (generated by p, the Brownian 
motion (i?s)s<t> the weights {wijig/ and uniform U process) and the evolving time 
from P to P', denoted by A{P, P'), is a Markov time. 

Proof The proof of this theorem can be found in Appendix. 


5 Assertions and Specifications 

In this section, we define a specification logic for reasoning about SHCSP programs. 
We will first present the assertions including syntax and semantics, and then the speci¬ 
fications based on Hoare triples. The proof system will be given in next section. 

5.1 Assertion Language 

The assertion language is essentially defined by a first-order logic with emphasis on the 
notion of explicit time and the addition of several specific predicates on occurrence of 
communication traces and events. Before giving the syntax of assertions, we introduce 
three kinds of expressions first. 

h ::= e \ {ch.E, T) \ h ■ h \ h* 
E-.:=c\x\f(E,,...,Ek) 

T ::= o I now \ u^{Ti, 

h defines trace expressions, among which (ch.E, T) represents that there is a value E 
transmitted along channel ch at time T. E defines value expressions, including a value 
constant c, a variable x, or arithmetic value expressions. T defines time expressions, 
including a time constant o, system variable now, or arithmetic time expressions. 
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U is a. random variable distributed uniformly in [0,1], U{to) < p 
{P Up Q, p) ^ (P, p[tr tr ■ {t, now)] ) 

P is a random variable distributed uniformly in [0,1], U (cu) > p 
(P Up Q, p) A (Q, p[tr !->■ tr ■ {r, now)] ) 


X : [0, d) X 17 — >■ is the solution of 

ds = bdt + adW A Vf £ [0, d),'iuJ.p[now !->■ now + f, s i-A Xt]{w){B) = T 


{{ds 


bdt + adW8zB),p) ^ 


/ {ds^ bdt+ adW&iB), 

V p]now 1 -^ now + d, s i— Xd], 


(PCho-1) 

(PCho-2) 


(Cont-1) 


3w.{p{u}){B) = F) or (X : [0, d) x 12 —>■ is the solution of ds = bdt + odW, 

3e > OVf £ (0, e)3ijj.p[now i->- now + f, s i-A Xt](a;)(P) = F) 

{{ds = bdt + adW&iB), p) (e, p[tr i->- tr ■ (r, now)) 

(Cont-2) 


(chi*; Qi,p) (chi*; Qi, p', Hi), Mi £ I 

{{ds = bdt + adW&cB),p) ^ {{ds = bdt + adW&cB), p', H) 

{{ds = bdt + odW&iB) > \\i^i{ijJi ■ chi* Qi),p) ^ 

f {ds = bdt + (jdWk.B) > ^iei{wi ■ chi* —>■ Qi).^ 
V p'[rdy ^ Uieip'i{rdy)], H[rdy ^ Uig/p'(rdy)] ) 


{chif, *}i<fc<TO get ready simultaneously while others not 
P is a random variable distributed uniformly in [0,1], and for 1 < j < n 

\ ' J ~ ^ . \ ■'i . chj . * 


< U{uj) < 


and {chi,j*; Qi^, p) 

jk = l 


-A {Qii , p') 


{{ds = bdt + adWSzB) > []ig/(ui ■ chi* —>• Qi), p) —^ (Qi^-, p') 

{{ds = bdt + adWSzB),p) ^ {c, p') 

{{ds = bdt + adWSzB) !> Dig/(a;i • chi* —>■ Qi), p) A (e, p') 


(IntP-1) 


(IntP-2) 


(IntP-3) 


Table 1. The semantics of new constructs of SHCSP 


The categories of the assertion language include terms, denoted by 9, 9i etc., state 
formulas, denoted by S, Si etc., formulas, denoted by ip, ipi etc., and probability for¬ 
mulas, denoted by V etc., which are given by the following BNFs: 

9 ::= E \ T \ h\tr 

5 ::= _L I P"(6»i,...,6»„) | h.ch? \ h.chl \^S\SiVS 2 
ip ::= _L I S' at T I -i(p | (pi V (p 2 | Vu.(p j Mt.ip 
V ::= P{ip) ixi p I -iP I P V P 

The terms 9 include value, time and trace expressions, plus trace variable tr. The state 
expressions S include false (denoted by _L), truth-valued relation P" on terms, readi¬ 
ness, and logical combinations of state formulas. In particular, the readiness h.chl or 
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h.ch\ represents that the communication event chi or ch\ is enabled, and prior to it, the 
sequence of communications recorded in h has occurred. The formulas (f include false, 
a primitive S dXT representing that S holds at time T; and logical combinations of for¬ 
mulas (u, t represent logical variables for values and time resp.). For time primitive, we 
have an axiom that [Si at T A S '2 at T) <!=> {Si A S' 2 ) at T. We omit all the other axiom 
and inference rules for the formulas, that are same to first-order logic. The probability 
formula V has the form P{(p) ixi p, where [xi€ {<, <, >, >}, p S Q n [0,1], or the 
logical composition of probability formulas free of quantifiers. In particular, P{(p) ixi p 
means that (p is true with probability txi p. For the special case F’(<p) = 1, we write p 
for short. 

In the sequel, we use the standard logical abbreviations, as well as 

Hp'f 

V? dr [Ti, T 2 ] = Vf.(Ti < f < Ts) ^ p at f 

Hpf 

p in [ri,r 2 ] = 3t.{Ti<t< T 2 )^pa\t 

Interpretation In the following, we will use a random variable Z ■. Q ^ {Var —> Val) 
to describe the current state and a stochastic process % : [0, -foo) x 17 —>■ {Var -> Val) 
to represent the whole evolution. The semantics of a term 0 is a function |0]] : (17 — 
{Var Val)) —>■ (17 ^ Val) that maps any random variable Z to a random variable 
| 0 ]]^, defined as follows: 

Icf = c 

\x\^ = Y where Y{uj) = Z{uj){x) fortu S 17 

ifHEu...,E,)r = f'^{iEir,...AEkr) 

lof = o 

Jnou’]'^ = Y where Y{u!) = Z{uj){now) forw G f2 

llu‘{Ti,...,T0f=u‘{llTir,...4Tr) 
ler = e 

uch.E,T)r = {chiEr,iTr) 

ihi ■ = ihir ■ ih^r 

rr = {ihf)* 

The semantics of state formula S' is a function [SJ : (17 ^ {Var —>■ Val)) —>■ {f? 

{0,1}) that maps any random variable Z describing the current state to a boolean ran¬ 
dom variable [SJ'^, defined as follows: 

=0 

Ii?"(0i,...,0„)p = i?"(I0ip,...,[M^) 

where R^pif, ..., I6»„Il^)(w) = i?”(I6»ip(a;), ..., ie4^{uj)) 

[/l.c/i!|] (uj).ch]£Z(cj)(rdy)} 

hSp = 1 - [Sl^ 

ISi V S 2 F = [Sif + [S 2 F - ISif * IS2f 


where given a set S, the characteristic function 2s is defined such that 2s{w) = 1 if 
w G S and 2s{w) = 0 otherwise. The semantics of formula p is interpreted over a 
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stochastic process and an initial random variable. More precisely, it’s a function |(/5] : 
([0, +CX)) X 17 —{Var Val)) —> (17 —> {Var —>■ Val)) —^ (17 —{0,1}) that maps 
a stochastic process Ti. with initial state Z to a boolean random variable The 

definition is given below; 


[5 at 

V 

= inf{|(/?[5/u]]^’'^ : 6 G R} 
= inf{|(/j[6/f]j|’^’'^ : b € M+} 


* I</52l 


n,z 


The semantics of probability formula V is defined by function |7^] : ([0, +oo) x 17 — 
{Var —> Val)) —>■ (17 —>■ {Var —>■ Val)) —>■ {0,1} that maps a stochastic process T-L with 
initial state Z to a boolean variable Formally, 

IP{^) = (P(M«-^ = 1) = P{y G 17 : yr’^{i^) = 1}) 

The semantics for -i and V can be defined as usual. 

We have proved that the terms and formulas of the assertion language are measur¬ 
able, stated by the following theorem: 

Theorem 2 (Measurability). For any random variable Z and any stochastic process 
FL, the semantics o/|[0]]'^, |S']]'^ and are random variables (i.e. measurable). 

Proof. The proof of this theorem is given in Appendix. 

5.2 Specifications 

Based on the assertion language, the specification for a SHCSP process P is defined 
as a Hoare triple of the form {A; E} P {i?; C}, where A, E, R, C are probability for¬ 
mulas. A and R are precondition and postcondition, which specify the initial state and 
the terminating state of P respectively. For both of them, the formulas p occurring in 
them have the special form S at now, and we will write S for short. E is called an 
assumption of P, which expresses the timed occurrence of the dual of communication 
events provided by the environment. C is called a commitment of P, which expresses 
the timed occurrence of communication events, and the real-time properties of P. 

Definition 1 (Validity). V/e say a Hoare triple {A- E} P {R- C} is valid, denoted by 
\= {A\E}P{R\C'\, iff for any process Q, any initial states pi and p 2 , if P termi¬ 
nates, i.e.{P\\Q, pi tti P 2 ) {e\\Q\ p'l W P 2 )’W) then [Af^ and imply and 

where R is the stochastic process of the evolution. 

6 Proof System 

We present a proof system for reasoning about all valid Hoare triples for SHCSP pro¬ 
cesses. First we axiomatize SHCSP language by defining the axioms and inference rules 
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for all the primitive and compound constructs, and then the general rules and axioms 
that are applicable to all processes. 

Skip The rule for skip is very simple. Indicated by T, the skip process requires 
nothing from the environment for it to execute, and guarantees nothing during its exe¬ 
cution. 

{A; T} skip {A; T} 

Assignment The assignment x := e changes nothing but assigns x to e in the final 
state, taking no time to complete. 

{A[e/x\,T} X := e{A;T} 

Input For input chlx, we use logical variables o to denote the starting time, h the 
initial trace, and v the initial value of x respectively, in the precondition. The assump¬ 
tion indicates that the compatible output event is not ready during [o, oi), and at time 
oi, it becomes ready. As a consequence of the assumption, during the whole interval 
[o, oi], the input event keeps waiting and ready, as indicated by the commitment. At 
time oi, the communication occurs and terminates immediately. As indicated by the 
postcondition, x is assigned by some value v' received, the trace is augmented by the 
new pair {ch.v',oi), and now is increased to oi. Assume A does not contain tr and 
oi is finite (and this assumption will be adopted for the rest of the paper). Let h' be 
h[v/x, o/now] ■ {ch.v', oi), the rule is presented as follows: 

{A A now = o A tr = h A X = v; ->h.ch\ dr [o, oi) A h.chl at oi}ch?x 
{A[o/now] A now = oi A 3v'.{x = v' Atr = h'); h.chl dr [o, oi]} 

A communication event is equivalent to a sequential composition of a wait statement 
and an assignment, both of which are deterministic. Thus, as shown above, the formulas 
related to traces and readiness hold with probability 1. 

If such finite oi does not exist, i.e., the compatible output event will never become 
available. As a consequence, the input event will keep waiting forever, as shown by the 
following rule: 


{A A now = o A tr = h; -<h.chl dr [o, oo)}chlx 
{A[o/now] A now = oo; h.chl dr [o, oo)} 

Output Similarly, for output ch\e, we have one rule for the case when the compat¬ 
ible input event becomes ready in finite time. Thus the communication occurs success¬ 
fully. 


{A A now = o A tr = h; ^h.chl dr [o, oi) A h.chl at oi}ch\e 

{A[o/now] A now = oi Atr = h[o/now] ■ {ch.e, oi), h.chl dr [o, oi]} 

We also have another rule for the case when the compatible input event will never get 
ready. 

{A A now = o Atr = h\ {->h.chl) dr [o, oo)} chle 
{A[o/now] A now = oo; h.chl dr [o,oo)} 
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Stochastic Differential Equation Let / be a function, and A > 0,p > 0 are real 
values. We have the following rule for (ds = bdt + adWk,B). 

f(s) € R) has compact support on B, A,p > 0 and 

_ A^B^if <\p) B ^ (/ > 0) A (L/ < 0)_ 

{A A s = So A now = o; T}(ds = bdt + adWSzB){P{f{s) > A) < p A Al[so/s, o/now] 
Anow — o + d A cl{B); B A P{f{s) > A dr [o, o + d]) < p} 

where o, Sq logical variables denoting the starting time and the initial value of s 
resp., d is the execution time of the SDE, and cl{B) returns the closure of B, e.g. 
cl{x < 2) = X < 2; and the Lie derivative Lf{s) is defined as + 

i 

i ^(a(s)g(s)'^)j j (s). The rule states that, if the initial state of the SDE satisfies 

/ < ^P, and in the domain B, f is always non-negative and Lf is non-positive, then 
during the whole evolution of the SDE, the probability of /(s) > A is less than or equal 
to p; on the other hand, during the evolution, the domain B holds almost surely, while 
at the end, the closure of B holds almost surely. 

Sequential Composition Eor P; Q, we use o to denote the starting time, and oi the 
termination time of P, if P terminates, which is also the starting time of Q. The first 
rule is for the case when P terminates. 

{A A now — o; E} B{Bi A now = oi; Ci} {Bi A now = oi; Ci} Q {B; C} 

{A-,E}P-,Q{R-,C} 

On the other hand, if P does not terminate, the effect of executing P; Q is same to that 
of executing P itself. 


{A A now — o; E} P {R A now = oo; C} 

{A A now = o; E} P; Q {P A now = oo; C} 

Conditional There are two rules depending on whether B holds or not initially. 

A^B iA;E}P{R;C} Al ^ 

{A;E}B ^ P{R-C} {A; T} PP {A; T} 

Probabilistic Choice The rule for P Up Q is defined as follows: 

{A A now = o; E} P {P{S) xii pi; P(p) txi2 P2} 

{A A now = o-,E}Q {P{S) ixii pi; P((p) C<l2 52} 

{A A now = o\E} P Up Q {P{S) ixii ppi -f (1 - p)qi\P{ip) [XI2 pp 2 + (1 - p)<72} 

where ixii,[xi 2 are two relational operators. The final postcondition indicates that, if 
after P executes S holds with probability txii pi, and after Q executes S holds with 
probability cxii qi, then after P Up Q executes, S holds with probability ixii ppi -f (1 — 
p)qi'. The history formula can be understood similarly. 

Communication Interrupt We define the rule for the special case {ds = bdt + 
adWSzB) > {chlx -A- Q) for simplicity, which can be generalized to general case 
without any difficulty. We use of to denote the execution time of the SDE. The premise 
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of the first rule indicates that the compatible event (i.e. h.chl) is not ready after the 
continuous terminates. For this case, the effect of executing the whole process is thus 
equivalent to that of executing the SDE. 

{A A now = o; E}{ds — bdt + adW&iB){R A now = o + op; C} 

A A now = o A E ^ {tr = h A -ih.chl dr [o, o + of]) 

{A A now = o; E} {ds = bdt + adW&iB) > [chlx -A Q) {R A now = o + of; C} 

In contrary, when the compatible event gets ready before the continuous terminates, 
the continuous will be interrupted by the communication, which is then followed by 
Q. Thus, as shown in the following rule, the effect of executing the whole process is 
equivalent to that of executing ch?x; Q, plus that of executing the SDE before the 
communication occurs, i.e. in the first oi time units. 

{A A now — o; E}(ds = bdt + adW&iB){R A now = o + of; C} 

{A A now = o A E) ^ {tr = h A h.ch\ at (o + oi) A oi < of) 

{A A B A now = o; E} chlx; Q {Ri', Ci} 

{A A now = o; E} {ds = bdt + adW&iB) \> {ch?x -A- Q) 

{i?i; i?|[o,o+oi) A Cl} 

where i?|[o,o+oi] extracts from R the formulas before o + oi, e.g., {P{S at T) ixi 
p) I[ 0 , 0 + 01 ] is equal to P{S at T) ixi p if T is less or equal to o + oi, and true other¬ 
wise. 

Parallel Composition 

For P||Q, let X be Xi n X 2 where Xi = E{P) and X 2 = E{Q), then 

A All A A 2 , {Ai A now = o; Ep\ P {Ri A ir = 71 A now = Oi; Ci} 

{A2 A now = o; £^2} Q {R2 A tr = 72 A now = 02; C2} 

Vc/i G X.(Ci[oi/«ow] Ich^ £2 Ic/i) A {C2\o2lnow\ fc/i=> £1 Icr.) 

Sdh G Xi \ X.E £1 \dh Sdh' G X2 \ X.E \ah'=> £2 \dh' 

{A A now = o; £} £||Q {£; C{ A C^} 

where Ai is a property of P (i.e., it only contains variables of P), A2 a property of Q, 
and oi and 02, 71 and 72 logical variables representing the time and trace at termination 
of P and Q respectively. Let Om be max{oi, 02}, R, C} and C2 are defined as follows: 
dcf 

R = Pi[7i/tr, oi/now] A R2['y2/tr, 02/TOw] A now = Om, A 71 |■x= 72 lx Atr — 71 || 72 

Hpf ^ 

C'i = Ci[oi/now] A R'i[oi/now] dr [ 0 + Om) for i = 1, 2 

where for i = 1 , 2 , Ri ^ R{ but tr ^ Rp At termination of P||Q, the time will be the 
maximum of oi and 02, and the trace will be the alphabetized parallel of the traces of P 
and Q, i.e. 71,72. In C[ and C2, we specify that none of variables of P and Q except for 
now and tr will change after their termination. 

Repetition For P*, let k be an arbitrary non-negative integer, then (tr ^ A) 

{A A now = o + k * t Atr = {h ■ ol ^)\ £[o/now]} P 

{A A now — o + {k + 1) * t A tr = {h ■ C} 

{A A now = o Atr = h-, E} P* {A A now = o' A tr = {h ■ a*) + t; C V {o — o' a\. now)} 
t and a are logical variables representing the time elapsed and trace accumulated re¬ 
spectively by each execution of P, and o and o' denote the starting and termination time 
of the loop (o' could be infinite). 
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The general rules that are applicable to all processes, such as Monotonicity, Case 
Analysis, and so on, are similar to the traditional Hoare Logic. We will not list them 
here for page limit. 

Theorem 3 (Soundness). If\- {A; E} P {R; C}, then \= {A; E} P {R; C}, i.e. every 
theorem of the proof system is valid. 


Proof The proof of this theorem can be found in Appendix. 

Example 1. For the aircraft example, dehne f{x,y) as \y\, assume f{xs,yo) = lyol < 
Xp, where p € [0,1]. Obviously, i? —>■(/> 0) A {Lf < 0) holds. By applying the 
inference rule of SDE, we have the following result; 


{now 


o-True} Pazt { 


3d.now = o + d f\ B A P{f > X)s < p; 
B A P{f > A dr [o, o + d]) <p 


} 


which shows that, the probability of the aircraft entering the dangerous state is always 
less than or equal to p during the flight. Thus, to guarantee the safety of the aircraft, p 
should be as little as possible. For instance, if the safety factor of the aircraft is required 
to be 99.98%, then p should be less than or equal to 0.0002, and in correspondence, 
1 2 / 01 < 5 (^ should be satished. 


7 Conclusion 

This paper presents stochastic HCSP (SHCSP) for modelling hybrid systems with prob¬ 
ability and stochasticity. SHCSP is expressive but complicated with interacting discrete, 
continuous and stochastic dynamics. We have dehned the semantics of stochastic HCSP 
and proved that it is welTdehned with respect to stochasticity. We propose an assertion 
language for specifying time-related and probability-related properties of SHCSP, and 
have proved the measurability of it. Based on the assertion language, we dehne a com¬ 
positional Hoare Logic for specifying and verifying SHCSP processes. The logic is an 
extension of traditional Hoare Logic, and can be used to reason about how the proba¬ 
bility of a property changes with respect to the execution of a process. To illustrate our 
approach, we model and verify a case study on a Right planing problem at the end. 
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Appendix 

7.1 The Semantics of SHCSP 

The semantics of the rest of SHCSP is given in Table |2] The semantics of skip and 
X ■.= e are defined as usual, except that for each, an internal event occurs. Rule (Idle) 
says that a terminated configuration can keep idle arbitrarily, and then evolves to itself. 
For input chTx, the input event has to be put in the ready set if it is enabled (In-1); then it 
may wait for its environment for any time d during keeping ready (In-2); or it performs 
a communication and terminates, and accordingly the corresponding event will be re¬ 
moved from the ready set, and x is assigned and tr is extended by the communication 
(In-3). The semantics of output chle is similarly defined by rules (Out-1), (Out-2) and 
(Out-3). 

For Pi IIP 2 , we always assume that the initial states pi and p 2 are parallelable. There 
are four rules; both Pi and P 2 evolve for d time units in case they can delay d time 
units respectively; or Pi may progress separately on internal events or external com¬ 
munication events (Par-2), and the symmetric case can be defined similarly (omitted 
here); or they together perform a synchronized communication (Par-3); or PiUPa ter¬ 
minates when both Pi and P 2 terminate (Par-4). At last, the semantics for conditional, 
sequential, internal choice, and repetition is defined as usual. 

7.2 Proof of Theorem [J 

Proof : We will prove the cadlag, adaptedness and Markov time properties by induction 
on the structure of SHCSP P. To simplify notation, we assume that the process P start 
at time 0 and A{P) is short for A{P, P') if P' = e. 

- Cases skip, wait d and x = e: Deterministic times Z\(skip) = A{x = e) = 0 and 
/l(wait d) = d aie trivial Markov times. For skip and wait d, H is adapted to the 
filtration generated by p. For x = e, H is adapted to p and e. For skip and x = e, 
H is trivially cadlag as the time domain is {0}. 

- Case In-1: A{ch'?x, chlx) = 0 is a trivial Markov time. H is cadlag and adapted 
to the filtration generated by p. 

- Case \Ti-2:A{chlx, chlx) = d is a trivial Markov time. H is cadlag and adapted 
to the filtration generated by p. 

- Case \Ti-l>:A{chlx) = d is a trivial Markov time. H is cadlag and adapted to the 
filtration generated by p and e. 

For cases Out-1, Out-2 and Out-3, the fact can be proved similarly. 

- Case {ds = bdt -f adWSzB): A{{ds = bdt + adWSzB)) = inf{f > 0 : Xt ^ B} 
is a Markov time if B is any Borel set. Here, Xt is the solution of SDE ds = 
bdt -b adW. H is adapted to the filtration generated by {Ws)s<t and p. 

- Case B ^ P:\f B is true, executing B ^ P is same as executing P. By induction 
hypothesis, A{P) is a Markov time and H is cadlag and adapted. If B is false, the 
fact holds obviously. 

- Case P Up Q: By induction hypothesis, A{P) and A{Q) are both Markov time. 
So A{P Up Q), the sum of two Markov times pA{P) and (1 — p)A{Q), is also a 
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(skip, p) ^ (e, p\tr i->- tr ■ (r, now)]) 

(e, p) A- (e, p[now !->■ now + dj) 

(x := e, p) (e, p[x e,tr tr ■ (r, now)]) 
p{w){tr).chi 0 p{ijj){rdy) 

(chlx, p) ^ [chlx, p\rdy rdy U {tr.chl}]) 
p{uj){tr).ch? G p{ijj){rdy) 

{chlx, p) A (chlx, p[now !->■ now + d], H^) 

p{uj){tr).chl € p{uj){rdy) 

{chlx, p) 1^!—^ p[rdy i— rdy\{tr.chl}, x b,tr tr ■ {ch.h, now)] ) 
p{w){tr).ch\ ^ p{w){rdy) 

{ch\e,p) ^ {ch\e,p]rdy rdy U {tr.ch\}]) 
p{uj){tr).ch\ G p{uj){rdy) 

{ch\e, p) A- {ch\e, p]now now + d], H^) 

p{uj){tr).ch\ G p{ijj){rdy) 

{ch\e, p) p[rdy i->- rdy\{tr.ch\}, tr tr ■ {ch.e, now)] ) 

(Pi, pi) ^ (Pi'.p'i), (P 2 ,P 2 ) ^ {Pi,p'2), 

(Pi II P 2 , pi W P 2 ) -(Pi' II P^, p'l W p^) 

(Pi,pi) 4 (Pi',p'i), r(/3) ^ r(Pi) n ^(Pa) 

(Pi II P2, pi W P2) A (Pi' II P2, p'l W P2) 

_ (P, Pi) A (P/,p', PQ for i = l ,2 _ 

(Pi II P2, pi W P2) A (Pi' II Pi, (p'l W p^), Pi W P2) 

(e II e,pi tt)p 2 ) A (e,pi tt)p 2 ) 

_ pH{B) = T_ 

(P —>■ P, p) A (P, p[ 7 r !->■ tr ■ (r, now)]) 

_p(w)(P) = F _ 

(P —>■ P, p) A (e, p[ 7 r !->■ tr ■ (r, now)]) 

(P,p)^(P',p',P) P'y^e 
(P;Q,p)^(P';Q,p',P) 

(P,p)^(e,p',P) 

(P;Q,p) ^ (g,p',P) 

(P,p)^(P',p',P) P'/e 
(P*,p) A(P';P‘,p',P) 

(P,p) A(e,p',P) 

(P*,p)^(P*,p',P) 

(P*, p) ^ (e, p]P !->• P • (r, now)]) 


(Skip) 

(Idle) 

(Assign) 

(In- 1 ) 

(In- 2 ) 

(In- 3 ) 

(Out-I) 

(Out- 2 ) 

(Out- 3 ) 

(Par-I) 

(Par- 2 ) 

(Par- 3 ) 

(Par- 4 ) 

(Cond- 1 ) 

( Cond- 2 ) 

( Seq- 1 ) 

( Seq- 2 ) 

(Rep- 1 ) 

(Rep- 2 ) 
(Rep- 3 ) 


Table 2 . The semantics of the rest of SHCSP 
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Markov time. By induction hypothesis, H' for P and H" for Q are both cadlag. 
Because cadlag functions form an algebra, H is also cadlag for every outcome of 
U. H is adapted, because H' and H" are adapted and the choice U generates the 
filtration. 

- Case P;Q: Suppose {P]Q,p) A {Q,p',H') and {Q,p') {e,p",H"). By 

induction hypothesis, A{P;Q,Q) = A{P) is a Markov time and H' is cadlag 
and adapted to {P't)t>o- p' is a random variable. By induction hypothesis, A{Q) 
is a Markov time and PI" is cadlag and adapted to {IF" t-A{p))t>A(P)- Obvi¬ 
ously, A{P] Q) = A{P) -f A{Q) is a Markov time. H is adapted to {Ft)t>o, 
since the two parts H', H" are adapted. By induction hypothesis, H is cadlag on 
[0, A{P-, Q, Q)) and on {A{P\ Q, Q), oo), because the constituent fragments are. 
At A{P; Q, Q), H is cadlag, by construction. 

- Case {ds = bdt + adWSzB) Q- This case can be defined by f = 0; {ds = 
hdt + adWSzt < d A B);t > d ^ Q. The fact can be proved similarly as the case 

P;Q- 

- Case {ds = bdt+adW&€B)>^i^i{uJi-chi* -A Q^); If the evolution of termi¬ 

nates before any communication occurs, this case is same as {ds = bdt+adWkB). 
Otherwise, H is cadlag and adapted the filtration generated by p, (W's)s<t and the 
weights A{{ds = bdt + adW&iB) > ^i^i{uji ■ chi* -A Qi)) is a Markov 

time, since the communication and Qi are both Markov times. 

- Case P\\Q: Suppose (Pi || P 2 , pi W P2) —>• (e || e, p{ W P2, PIi W ^ 2 )- Because the 
processes P and Q don’t share variables, by induction hypothesis, H = iJi l±l iJ 2 is 
cadlag and adapted to the filtration generated by pi W p 2 , (Vl4)s<t and the weights 
{wijigj. A{P\\Q) = max(zi(P), A{Q)) is a Markov time. 


□ 


7.3 Proof of Theorem 12 

Proof: We will prove this fact by induction on the structure of 0, S and ip. 

I^]'^ is a random variable: 

1 . |c]|'^ = c is a random variable trivially. 

2. \x\^ = F is a random variable, because Y {oj) = Z{uj){x) for each uj € fl and Z 
is measurable. So is Y. 

3. |/''(Pi, ...,Pfc)F = f'"{lEi¥, II-E’fcF) is a random variable, because |Pip, 

..., are measurable and is Borel-measurable. Thus, the composition •.•, |Pfc]^) 

is measurable (the cr-algebras in the composition are compatible). 

The cases |op, Inotup, |ep and |(c/i.P,T)p can be proved 

similarly. 

4. |/ii-/i 2 l'^ = |(ii]|'^-|(i 2 l'^ is aproduct. Itis also measurable byinductionhypothesis 
(measurable functions form an algebra). 

is a random variable: 

1 . I-L]'^ = 0 is trivially measurable. 


Extending Hybrid CSP with Probability and Stochasticity 


19 


2 . Ih.chlj^ = {Lu).ch?eziuj)irdy)} is measurable, because |ft..c/i?p = 0 or 

1 . 

3. = 1 — is measurable is measurable). 

, dn)j^, |/i.c/i!p and [S'! V 82 ^^ can be proved similarly. 

jg ^ random variable: 

1 . = 0 is trivially measurable. 

2 . JS" at i is measurable, because i is. 

3. = 1 — is measurable is measurable). 

4. = inf{|(/ 5 [ 6 /t;]]]^’'^ : 6 G R} is measurable for the following reason. 

By Theorem 1, % is measurable (adapted). By induction hypothesis, [[(/^[ 6 /t;]]^’^ 
is measurable for each b. Consider a rational mesh tt := { 61 , 62 ,..., &«} C Q with 
^1 < < • • • < bn- It’s obvious that |(/ 3 [ 6 /u]]]^’^ is measurable for each b G tt. 

So, the (finite) countable infimum inf{|[i^[6/u]]]^’^ : 6 G tt} is measurable. Then, 
the countable infimum inf{|(^[6/u]|^’'^ : 6 G tt for a rational mesh} is measurable, 
because the set of rational meshes is countable. Notice that T-L is cadlag by Theorem 
1, so inf{|(^[6/u]|^’'^ : 6 G Rj is measurable. 

\(fi V ip 2 f^’^ and can be proved similarly. 

□ 


7.4 Proof of Theorem 1^ 

Proof : To prove soundness, we need to show that the axioms are valid, and that every 
inference rule in the proof system preserves validity. That is, if every premise of the 
rule is valid, then the conclusion is also valid. 

We will prove the soundness theorem by induction on the structure of Stochastic 
HCSP processes S. In the following proof, we always assume S executes in parallel 

with its environment E, and (S'||i?, pi >± 1 ^ 2 ) p'l W ^21 ^ '^he stochastic 

process of the evolution and Tq = pi (now) for simplicity. Moreover, for readability, 
we will write [.4]^ and [E]^''’ as p |= A and p^%\= E, for any state p, any stochastic 
process PL, any state formula A, and any formula E. 

- Case skip: The fact holds trivially from the fact p[ = pi \tr + r]. 

- Case Assignment x := e: From the operational semantics, we have p\ = pi[x ^ 
e,tr I—> tr ■ (r,now))]. Assume pi |= (A A fr = h)[e/x], we need to prove 
p'l \= A Atr = h + T. Obviously this holds. 

- Case Input ch'Lx: From the operational semantics, we have p} = pi [now Tq + 
d, X i-A b,tr t-A tr ■ {ch.b, Tq + d)] for some d > 0 and &; and for any w G 17 and 
anyf G [ro,To + d), pi(w)(fr).c/i! \ch^ 'H{t,uj){rdy) \ch, pi{uj){tr).ch\ \chG 
'H{TQ+d,uj){rdy) [c/i; andforany f G [Tq, To+d], pi(w)(fr).c/i? G PL{t,uj){rdy). 
Assume pi |= A A now = oAtr = hAx = v and p 2 , PL ^ -^h.chl dr [o, oi) A 
h.chl at oi, we need to prove that p} |= A[u/a:, o/now] A now = oi A 3v'.{x = 
v' Atr = h') and p'i,PL \= h.chl dr [o, oi), where h' is h[v/x, o/now] ■ {ch.v', oi). 
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First from pi \= A A now = o A x = v and the assumption that A does not 
contain tr, we have pi \= A[u/a;, o/«ow]. Compare p'l with pi, we can find that 
only variables tr, now, and x are changed. Plus that A does not contain tr, we 
obtain p'j \= A\vlx,olnow\ 

From the assumption pi, |= -^h.chl dr [o, oi) A h.chl at oi, we can get the 
fact that Vfe [o, oi).'H{t, ■){h).ch\ \ch^ Hit, ■){rdy) \ch, s^ndnit, ■){h).ch\ \ch& 
T-L{oi, ■){rdy) \ch- From pi \= tr = h, then p{-){tr) = p{-){h), and obviously 
Pi')W = T~L{tr){h) since the number of ch in h does not change during the 
waiting time. Plus the fact that Tq = o, we finally obtain Tq + d = oi. So 
p'l,71 \= now = oi holds. 

Denote p'i{-){x) by c, then p'l \= 3v'.x = v' holds by assigning v' with c. 
From the semantics of substitution, p'i{-)(tr) = pi{-){h) ■ (c/i.c, Tq + d). On the 
other hand, p'i{-){h[v/x,o/now\ ■ {ch.v',oi)) = pi{-){h) ■ {ch.c,oi). Thus, plus 
the above fact, we prove that p'l ^ 3v'.{x = v' Atr = h'). 

Finally, from the operational rule, we have p'i,7i |= pi{ ){tr).chi dr [Tq, Tq + 
d]. Based on the facts Tq = o, Tq + d = oi, and pi{-){tr) = pi{-){h), we prove 
the result. 

- Case Output c/i!e: The fact can be proved similarly to chlx. 

- Case Continuous {ds = bdt + adWkB): First assume the continuous terminates. 
To prove this, we first introduce two lemmas. 

Lemma 1. Let Xt an a.s. right continuous strong Markov process (e.g. solution 
from SDE) and Xq = x. If f € ,M.)has compact support and t is a Markov 

time with E^t < oo, then 

E^fiXt) = fix) + E^ r AfiX,)ds 
Jo 

where A fix) := lim ^ 

Lemma 2. If fiXt) is a cadlag supermartingale with respect to the filtration gen¬ 
erated by iXt)t>o and f > 0 on the evolution domain of Xt, then for all A > 0.' 

PisupfiXt)>X\E) < EliM 

t>0 A 


We have p'l = pi[now i-A Tq 3- d,s n- X(d, + r] for some d > 0 where 
X : [0, +cxd) X f? —is the solution of the SDE; and for all t € [Tq, Tq + 
d).7iit, •)(s) = Xit, •). We define another random variable Y = sup{/(Xj) : t G 
[0, d)}. / G R) has compact support on B. Consider any x G and 

any time r > 0. The deterministic time r is a Markov time with E^r = r < oo. By 
Lemma 1, we have 


EyiXr) = fix)+E- [ AfiXt)dt 
Jo 
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where Af = Lf < Oby the premise. So Af(Xt)dt < 0, hence, Af{Xt)dt < 

0. This implies E^f{Xr) < f{x) for all x. 

The filtration is right-continuous and / € R) is compactly supported, 

the strong Markov property for Xt implies for all f > r > OthatE^{f{Xt)\Er) = 

E^’’ f{Xt-r) < f{Xr). Thus, f{Xt) is a supermartingale with respect to Xt, 
because it is adapted to the filtration of Xt and E^\f{Xt)\ < oo for all t since 
/ G has compact support. Consider any initial state Y for X. By 

Lemma 2 and the premises, we have P{sup f{Xt) > A|Jv) < < ^ = p. 

t>o 

The fact holds. 

The other case is that the continuous does not terminates in finite time. From 
proof above, for any d > 0, we have 'P<p(/(s) > A) dr [Tq, Tq + d]. So we can get 
^ A) dr [To, oo). The result holds. 

Case Sequential Composition P; Q: We assume the intermediate state at termina¬ 
tion of P is Pi (thus Q will start from Pi[tr + r]), and the behaviors of P and Q 
are Hi and H 2 respectively, whose concatenation is exactly H. Assume we have 
pi \= A /\ now = o and pi,H |= T, we need to prove that p[ ^ R and p'i,H \= 

Cl [oi /now] A C, where {A A now = o; T} T {i?i A now = oi /\tr = hi\Ci} and 
{i?i A now = oi Atr = hi + T\ E[o/now]] P {i?; C} as in the rule for sequential 
composition. 

According to the inference rules, from {A A now = o; E} P {i?i A now = 
oi A fr = hi', Cl}, we can get {A A now = o-,E A now = oi A 

tr = hi, Cl}, where E [<oj^ only addresses the behavior of environment before or 
equal time oi. Then the proof is given as follows: First, from pi,H \= E,ws have 
Pi,Hi \= E f<oi, then by induction hypothesis, for P, we have p" |= A now = 
oi A tr = hi and p'(,Hi \= Ci. Similarly, by induction hypothesis again for Q, 
we have p} \= R and p}, H 2 \= C, then p’i,H \= C. From p", Hi |= Ci, we have 
Pi,H [= Cl [oi /now]. The result is proved finally. 

Case Probabilistic Choice P Up Q: We may assume ixi is >. From operational se¬ 
mantics, we have {P>p' [S); E} P {P>pt (S'); Cij with probability p and {■p>p'(S); E} Q {V>p 2 iS); C 2 } 
with probability 1 — p. Assume pi \= A, and p2,H ^ T. By the law of total prob¬ 
ability, we can easily get p} |= T>ppj+(i_p)p 2 (S) and |= Ci V C 2 . 

Case Communication Interrupt: Assume pi ^ A A now = o, and p 2 ,H \= E. For 
the first case, assume we have {AAnow = o;E}{ds = bdt+adWSzB){RAnow = 
o + of',C}, and (A A now = o AE) ^ (tr = h A -<h.ch\ dr [o, o -|- of]), we need 
to prove p'l ^ i? A now = o + op and p'i,H ^ C. From the assumption, we have 
Pi \= tr = h and p2,H \= -^h.chl dr [0,0 -I- op]- According to the operational 
semantics, the final state and the behavior of interrupt are equal to the ones of 
continuous. The result holds by induction hypothesis. 

For the second case, assume we have {AAuow = o; E}{ds = hdt+adWhB){RA 
now = 0 - 1 - Of; C}, (A A now = o A E) ^ (tr = h A h.chl at (o -I- oi) A oi < 

Of), and {A A now = o; E} chlx] Q {i?i; Ci}, we need to prove p} |= i?i and 
p'i,H \= (P<p(f(s) > X)AB) dr (o, o-I-oi) A Cl. From the assumption, we have 
Pi \= tr = h and p 2 , H \= A^h.ch\ dr [o, o -I- oi) A h.chl at (o + oi) A oi < of- 
According to the operational semantics, the final state and the behavior of interrupt 
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are equal to the ones of chlx; Q, but in the first oi time units, the continuous is also 
executing. The result also holds by induction hypothesis. 

- Case Parallel Composition P\\Q: From the operational semantics, there must exist 
pii and pii , pi2 and p'12 for initial states and terminating states of P and Q respec¬ 
tively, which satisfy: pi = pn^pu and p[ = p'n Wpia; p'ii{-){tr) \x= p'12 \x (as¬ 
suming P and Q terminate at the same time here, which will be generalized in the 
following proof). Assume we have pi\= A /\ now = o, and p2,'H \= E,we need to 
prove p[ \= R and Pi.R ^ AC^, where {Ai/\now = o]Ei\ P {Ri/\tr = 71 A 
now = oi; Cl} and {A2 A now = o; E2} Q {R2 A fr = 72 A now = 02] C 2 } hold; 
and compatibility check Vcfi € X .{C\[oi / now] \ch^ E2 (c/i) A(C 2 [o 2 /how] 

El tc/t), Vdfi € Xi\X.E \dh^ El \dh, and Vdfi' G X2\X.E \dh>^ E2 \dh' hold. 
Among them, R, C} and C2 are defined as in the rule for parallel composition. The 
proof is given by the following steps. 

First of all, we prove that p{i,R ^ Ci and p'i 2 ,'H \= C 2 . If they do not hold, 
assume Ci fails to hold not later than C2, and the first time for which Ci does 
not hold is ti (when it exists), then for all t < ti, C2 holds. There are three kinds 
of formulas at time ti in Ci: if the formula is for internal variables or internal 
communication (between P and Q) non-readiness, then it will not depend on Q 
or E, according to the fact that Ci holds before time ti, it must hold at tp, if the 
formula is for external communication readiness, first from compatibility check, 
for any channel dh € Xi \ X, it does not occur in C2, then we have E \dh^ 
El \dh, where E \dh extracts formulas related to communications along dh from 
E. Then from p2,'H \= E, we have P2,'H ^ Ei \dh, and thus pi2 ^ p2,'H \= 
El \dh- By induction hypothesis, the formula considered must hold at C; if the 
formula is for internal communication readiness, then there must exist an open 
interval (fojfi) during which it is not satisfied. From the assumption, C2 holds 
in the interval {to,ti), thus Ei (x holds in the interval (toRi). By induction, the 
internal communication readiness assertions in Ci hold in the interval {to, ti). We 
thus get a contradiction. Therefore, we can get the fact that, both p{i,R ^ Ci and 
p'i2, TL C2 hold. On the other hand, if such ti does not exist, there must exist 
an open interval {t 2 ,t^) such that for all t < t2, Ci and C2 hold, while Ci does 
not hold in {t 2 , fa). The proof is very similar to the above case. We omit it here for 
avoiding repetition. 

Based on the above facts, from pi \= Ai and pi,'H \= E, and compatibility 
check, we have therefore pi 2 W p 2 ,^ |= Ei. Similarly, we can get for another 
process Q that pi 2 \= Ai A now = o, and pn W P 2 , H ^ £’ 2 - Then, by induction 
on P and Q, we have p'^ |= A fr = 71 A now = oi and p'njH \= Cp, 
P12 1 = f?2 A fr = 72 A now = 02 and p'12, R \= C2 respectively. 

Notice that p'^ l±) p'12, i-C- p'l, only redefines the values of tr and now, where 
the communications are arranged in the order according to their occurring time, 
and variable now takes the greater value between p'ii(-)(now) and p'i2{-){now). 
Obviously, we have p} |= i?i[7i/fr, oi/«ow] A i?2 [72/f?', 02/now] A now = Om- 
And, p} \= Ai\x= l 2 \x holds because of synchronization. From the definition of 
W, p}(fr)(f) € p}i(fr)(f)||p}2(fr)(f), we can easily get the fact p} \=tr = ^i || 72. 

X 

Thus R holds for the final state. 
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From p'lijH \= Ci and H ^ 2 , considering that only now change and 

matter, we have p'i,T-L \= C'i[oi/«ow] A C' 2 [o 2 /«ow]. After P ox Q terminates, 
only rdy, tr and now may change, plus the fact that i?i and R 2 do not contain 
readiness, Ri => R'^, R 2 ^ R' 2 , and R[,R 2 do not contain tr, we have p'i,R \= 
R'i[oi/now] dr [oi,now) and p'ljTL \= R 2 [o 2 /now] dr [o 2 ,now). The whole result 
is proved. 

- Case Repetition P*: From the operational semantics, we have there must exist a fi¬ 
nite integer n > 0, andpii,...,pi„ such that (P*||F;,piil±lp 2 ) {e; P*\\Ei, pi 2 ^ 

P 2 i)-- - (P*||£;',pi„l±lp 2 ) ^ (e||£;',pi„[fr+T]l±lp 2 ) where pii =pi,piri[tr+ 

r] = p[. Assume pi |= A A now = o A tr = h and p 2 ,R ^ i?, we need to prove 
that p[ 1= A A now = o' Atr = h-w* + t and p'i,R ^ C V (o = o' at now), where 
{AAnow = o + k*tAtr = h-w^; E[o/now]} P {AAnow = o+{k + l)*tAtr = 
h • ; C} holds as defined in the rule for Repetition for any non-negative integer 

k. 

If n = 1, then we have pi\tr -f r] = p'^, let o = o', the fact holds directly. If 
n > 1, from pi |= A A now = o Atr = h and p 2 , ^ 1= E[o/now], then let k be 0, 
by induction hypothesis, we have pi 2 ^ A A now = o' Atr = h ■ why assigning 
o' by o -f t, and pi 2 , H |= C. Recursively repeating the proof, plus the fact for any 
k, pik, T~L ^ E[o/now\, we can prove the result. 


□ 


